Malware detected

THis is very annoying!

avast home 4.0 keeps detecting what appears to be A dynamic file Browserhelper.dll. as spware

Commands to delete or move to chest indicates that the file cannot be found.

P.O.
Yet alarms go off on starrtup-running On-access

What Do I do?

What is the full path of the detected file?

C:\WINDOWS\BROWSERHELPER.DLL

I suggest you download or run Hijackthis
Scan and post your log here… Or go to This Site
and post your log (bottom of the page)
then you will see the unknown processes and which of them you Should(I said should) delete.If possible make a backup of those files ;D
Press the fix button(after you clicked on the files you want to fix) and then delete the Browserhelper.dll file(make a backup but rename it)
Hope this works :wink:

It will help if you Google the name of the dll and submit it to Jotti and let us know the results.

Logfile of HijackThis v1.99.1
Scan saved at 1:22:16 PM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Google\ggviewer67-94.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Internet Alert\ia99.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Instant Buzz\IBDaemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Replay Radio 5\ReplayRadio.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\MarketBrowser\lmt\mktbrws.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Window of Hope\woh.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\0xgh7edr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Replay Radio 5\Tuner.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Documents and Settings\DALE DAVIDSON\Local Settings\Temporary Internet Files\Content.IE5\D4J7RXW4\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/DALE%20DAVIDSON/Desktop/Manifestation.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dllO2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)

other files deleted

this came from Google

browserhelper.dll - Here is the scoop on Madfind Trojan. The big question: what is browserhelper.dll and is it spyware, a trojan and if so, how do I get rid of Madfind Trojan?

browserhelper.dll (Madfind Trojan) - Details
If the dll file browserhelper.dll is on your computer, your system could be infected with a trojan that goes by the name of madfind.

Can anyone tell what IS BHO

A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web (http://www.definitivesolutions.com/bhodemon.htm).
There are applications to remove/repair BHO intrusions.
You can start with Antispyware applications (freeware): download, install, update and run it.
Ad-Aware
Spybot Search and Destroy
Spywareblaster
A-squared
Ewido
Webroot Spy Sweeper:
Microsoft AntiSpyware

And try to get rid of it.

Win32:Adware-gen was found by Avast in the scan and also Adtomi which is not a virus.

It appears that it may be a false +ve.
INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)

There also is no record in the registry
How can I stop the alarms?? or will it be removed from the DB.

AntiVir
Found nothing
ArcaVir
Found Adware.Adtomi
Avast
Found Win32:Adware-gen.
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found not a virus Adware.Adtomi
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Adtomi.b

From the report, it doesn’t seem to be a false positive, but rather a real adware.

How do I delete it?
Avast
Found Win32:Adware-gen.
AVG Antivirus
Found nothing

INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)

If avast detected it you should have hadthe choice of moved to chest or delete, assuming you moved it to the chest, after investigation (that you have now done), you can delete it from the chest.

If avast couldn’t move/delete it because it was in use (protected by windows), schedule a boot-time scan from within avast (XP or NT based OS only).

If you haven’t already got this software (freeware, anti-adware/spyware tools), download, install, update and run it.

  1. Ad-Aware
  2. Spybot Search and Destroy
  3. Spywareblaster

Can I suggest that you submit the file:

C:\WINDOWS\0xgh7edr.exe

to Jotti’s scanner as this is almost certainly malware.

http://virusscan.jotti.org/

There is also at least one instance of adware and spyware, so a scan with Ad-Aware and Spybot is essential.

http://castlecops.com/tk1717-IBBar_dll.html
http://www.publishingcentral.com/news.php?story=72

http://www.trendmicro.co.jp/vinfo/virusencyclo/default5.asp?VName=ADW_ADTOMI.C

http://www.bleepingcomputer.com/startups/ia99.exe-f2289.html

Howdy dgdavid,

This is certainly adware for removal instructions you may consider:
http://www.inet-mates.com/articles/3_rm_adtomi.html

Spyware & adware are the prevailing slime-ware of the moment, and we found a 72% increase of this during the latter half of last year alone.

Lots of success in keeping your comp clean with the help of all of us,

greets,

polonus

:slight_smile: Your HijackThis log indicates you are using a way-out-of-
date version of Java 2 Runtime Environment program in
which security “concerns” have been raised; after you
resolve the other problem, I recommend you go to :
www.java.com and download, then install their latest.
Then uninstall your current version of java.